Jump to content

Rogue service process left after otherwise successful MBAM detection/deletion

Recommended Posts

My son's computer was attacked a couple of days ago when he browsed to a malicious website.

He ran MBAM (1.50.1, database version 5383), which detected and deleted *most* of the malicious attack artifacts, but not all.

The attack disabled his Microsoft Security Essentials -- removed the MSSE entry from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, disabled the MsMpSvc service, and launched a malicious service (in a rundll32.exe launched by the regular svchost.exe for the netsvcs service group).

The maliciously launched rundll32.exe loaded a dll named ntmsdba2.dll that had been dropped in c:\windows\system32.

When that process was running, MSSE was unable to initialize when launched -- it exited within seconds of being launched manually.

The attack-dropped ntmsdba2.dll had been attributed system, hidden, read-only, and ACLed to prevent deletion.

MBAM did not detect it when in that state.

I killed the rundll32.exe and then used cacls.exe to overwrite the ACLs with EVERYONE:F, and removed the S H & R attributes.

After doing that, I ran another MBAM scan, which *did* detect it, and an apparently associated registry key as well:

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\H3O8CABBPI (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\system32\ntmsdba2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

We have a remaining issue however -- the svchost.exe is still attempting to launch the malicious service. The rundll32.exe does not exit, even though the dll has been deleted. Its command line is:

C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\ntmsdba2.dll",Bkmap

However there doesn't seem to be a service in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, or an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs, corresponding to this process.

It's unclear to me what the mechanism is by which the process is being launched. It appears to be launched at boot time, but not in safe mode.

I have searched the registry for the string "ntmsdba2" anywhere in any key, value, or data -- nothing found. If the dll filename is being stored in the registry anywhere it must be in something other than clear text.

I have searched the file system (with Explorer set to view hidden and system files, of course) for files containing the string "ntmsdba2" -- no luck. Again, if it's being stored in the file system, it's not in clear text.

The svchost.exe and rundll32.exe program files themselves appear to be OK -- they byte-compare identical to copies of the respective file taken from an uninfected system running the same OS revision (WinXP SP3, with all critical updates pushed by Microsoft through 12/23/10).

I have checked the system for rootkits using GMER, RootRepeal, Sysinternals RootkitRevealer, HitManPro 3.5, and Kaspersky's TDSSKiller -- none of them reported anything that didn't have a legitimate explanation.

Can anyone briefly explain the possible mechanisms by which svchost.exe can be induced to launch a rundll32.exe, suggest additional places and/or formats to look for a stored representation of the rundll32 command line or dll filename ("ntmsdba2"), or know enough about the propagation and operation of Trojan.Agent to help identify how the rogue service process is still being launched? (And does anyone know why the rundll32.exe doesn't exit, if the dll named on its command line doesn't exist in the file system?)

At least with the dll itself gone, MSSE now has no trouble coming up and initializing at boot.

Any help appreciated -- please let me know if I can run and post any diagnostics that will help.

Link to post
Share on other sites

Hello, and welcome to Malwarebytes.org

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.